Canadian Privacy Commissioner Philippe Dufresne said Tuesday that the federal lawful access bill requires further amendments to strengthen privacy protections for Canadians, despite the government’s previous efforts.
If enacted, Bill C-22 would authorize law enforcement officers to obtain subscriber information from electronic service providers for criminal investigations. Dufresne urged Parliament to limit the bill’s definition of subscriber information to a finite list. He warned that the current wording might give officers access to sensitive information such as a subscriber’s healthcare providers, lawyers or financial institutions.
Dufresne also raised concern about a provision exempting law enforcement from judicial oversight when receiving publicly available information. He recommended requiring officers to obtain a judicial warrant whenever Canadians retain a reasonable expectation of privacy in the information sought, including data exposed through breaches or leaks.
In addition, Dufresne called for the inclusion of an overarching obligation that government actions be necessary and proportionate. This amendment, if adopted, would appear in the proposed Supporting Authorized Access to Information Act contained in Part 2 of the bill. The act would require electronic service providers to retain categories of metadata–including transmission data–of all users in Canada for up to one year.
Tech giants, such as Apple and Google, voiced concerns Tuesday over the act’s privacy intrusion before the House of Commons Standing Committee on Public Safety and National Security. Erik Neuenchwander, Apple’s senior director on user privacy, said: “This bill allows the Government of Canada to force companies to break encryption by inserting backdoors into their products, something Apple will never do.”
Previously, other technology companies, such as Signal and NordVPN, have indicated the possibility of leaving Canada if Parliament passes the bill in its current form.
Michael Geist, privacy law professor at the University of Ottawa, also criticized the lowered threshold of “reasonable grounds to suspect” for law enforcement officers to compel subscriber information from electronic service providers through a court order. In Tuesday’s hearing, he argued that the act is likely to face constitutional challenges because it ignores the “technological reality of what subscriber information may reveal.”
The legislation follows two rulings from the Supreme Court of Canada, recognizing that subscriber information, including internet protocol (IP) addresses, can disclose highly sensitive personal information. It therefore attracts constitutional protection against unreasonable search and seizure. Geist previously described the government’s silence on how the law complies with the court’s jurisprudence as “wilful blindness.”
Federal Justice Minister Sean Fraser defended the bill, maintaining that law enforcement use and collection of subscriber data would remain subject to Charter scrutiny.
Australia’s data retention law requires telecommunications companies to retain certain data for at least two years. Germany is also moving to require companies to store IP addresses for three months as a precautionary measure in late April. This is happening despite the Court of Justice of the European Union’s repeated prohibition of general and indiscriminate data retention regimes. How Canada will move to strengthen online law enforcement remains to be seen.
